Guarding Device Onboarding Ownership Vouchers Against Unauthorized Ownership Changes

1. A system, comprising: at least one processor; and at least one memory coupled to the processor, comprising instructions that cause the at least one processor to perform operations comprising: receiving, by the system, a first ownership voucher for a device, wherein the first ownership voucher identifies a first entity as being an owner of the device; receiving, by the system, a second ownership voucher indicative of the first entity changing the owner of the device to a second entity; determining, by the system, that the first entity is the owner of the device based on the first ownership voucher; updating, by the system, the owner of the device to be the second entity via storing the second ownership voucher; based on receiving second user input associated with the second entity, verifying, by the system, the second entity as the owner of the device using the second ownership voucher; based on verifying the second entity as the owner, storing, by the system, an identifier of a device onboarding service that was accessed as part of performing the verifying, wherein the device onboarding service is separate from the system, wherein the device onboarding service enforces a first policy that only the owner of the device is authorized to transfer ownership of the device, and wherein the device onboarding service enforces a second policy that only an immediately-prior owner of the device is authorized to revoke an ownership transfer of the device; and in response to receiving a message from the device, directing, by the system, the device to access the device onboarding service to provision the device using the identifier of the device onboarding service.

2. The system of claim 1, wherein the receiving the first ownership voucher, the receiving the request, the determining, the updating, the receiving the identifier, and the directing are performed by a device discovery service of the system.

3. The system of claim 1, wherein the receiving the first ownership voucher, the receiving the request, the receiving the second ownership voucher, the updating, the receiving the second user input, the verifying, and the directing are performed by a central authority of the system.

4. The system of claim 1, wherein the receiving the first ownership voucher, the receiving the request, the determining, the updating, the receiving the identifier, and the directing are performed by a device discovery service of the system, and wherein the device discovery service is a member of a group of device discovery services that is configured to provide device discovery services to the device.

5. The system of claim 1, wherein the first ownership voucher is stored and maintained, with respect to updates to owning the device, on a data store or a blockchain.

6. The system of claim 1, wherein the identifier of the device onboarding service is a first identifier, wherein the receiving the first ownership voucher, the receiving the second ownership voucher, the determining, the updating, the receiving the second user input, the verifying, and the directing are performed by a central authority of the system, and wherein the central authority is identified by a second identifier comprised in a device credential on the device.

7. The system of claim 1, wherein the identifier of the device onboarding service is a first identifier, wherein the receiving the first ownership voucher, the receiving the second ownership voucher, the determining, the updating, the receiving the second user input, the verifying, and the directing are performed by a central authority of the system, and wherein the central authority is identified by a second identifier comprised in the first ownership voucher.

8. A method, comprising: receiving, by a system comprising at least one processor, a first ownership voucher applicable to ownership of a device, wherein the first ownership voucher identifies a first entity as an owner of the device and a prior owner, wherein the first ownership voucher identifies that the owner has permission to set a new owner of the device, wherein the first ownership voucher identifies that the prior owner has permission to revoke the first entity from being the owner of the device, wherein the system is configured to enforce a first policy that only the owner of the device is authorized to transfer ownership of the device, and wherein the system is configured to enforce a second policy that only an immediately-prior owner of the device is authorized to revoke an ownership transfer of the device; receiving, by the system, a second ownership voucher indicative of the first entity changing the owner of the device to a second entity; determining, by the system, that the first entity is the owner of the device based on the first ownership voucher; updating, by the system, the owner of the device to the second entity via storing the second ownership voucher; based on verifying the second entity as the owner of the device using the second ownership voucher, storing, by the system, an identifier of a device onboarding service that is received based on user input from the second entity, wherein the device onboarding service is separate from the system; and based on a message received from the device, directing, by the system, the device to access the device onboarding service for a provisioning of the device via the identifier of the device onboarding service.

9. The method of claim 8, further comprising: in response to receiving a third ownership voucher that indicates that the second entity has updated the owner of the device to a third entity, and in response to determining that the second entity is the owner of the device based on the second ownership voucher, updating, by the system, the owner of the device to the third entity via storing the third ownership voucher.

10. The method of claim 8, further comprising: after storing the second ownership voucher, based on a message received by the system indicative of a further attempt to update the owner of the device by the first entity, and in response to determining that the first entity is no longer the owner of the device based on the second ownership voucher, determining, by the system, not to update the owner of the device.

11. The method of claim 8, wherein the identifier of the device onboarding service is a first identifier, and wherein the storing the identifier of the device onboarding service comprises: storing, by the system, an association between the first identifier of the device onboarding service and a second identifier of the device.

12. The method of claim 8, wherein the identifier of the device onboarding service comprises an Internet Protocol address of the device onboarding service.

13. A non-transitory computer-readable medium comprising instructions that, in response to execution, cause a system comprising at least one processor to perform operations, comprising: receiving a second ownership voucher from a first entity indicative of changing an ownership of a device from the first entity to a second entity, wherein the system is configured to enforce a first policy that only the owner of the device is authorized to transfer ownership of the device, and wherein the system is configured to enforce a second policy that only an immediately-prior owner of the device is authorized to revoke an ownership transfer of the device; determining that the first entity has the ownership of the device based on a first ownership voucher of the device that identifies the first entity of the ownership of the device, wherein the first ownership voucher indicates that the first entity has a permission to specify a new owner of the device; updating the ownership of the device to the second entity via storing the second ownership voucher; based on verifying the second entity as the owner of the device using the second ownership voucher, storing an identifier of a device onboarding service that is received based on user input from the second entity, wherein the device onboarding service is separate from the system; and based on a message received from the device, directing the device to access the device onboarding service for a provisioning of the device via the identifier of the device onboarding service.

14. The non-transitory computer-readable medium of claim 13, wherein the receiving the second ownership voucher, the determining, the updating, the storing the identifier, and the directing are performed by a device discovery service of the system.

15. The non-transitory computer-readable medium of claim 13, wherein the receiving the second ownership voucher, the determining, the updating, the storing the identifier, and the directing are performed by a central authority of the system.

16. The non-transitory computer-readable medium of claim 13, wherein the ownership of the device is maintained according to a fast identity online device onboarding protocol.

17. The non-transitory computer-readable medium of claim 13, wherein the operations further comprise: maintaining a chain of ownership in the second ownership voucher that identifies the first entity as having formerly owned of the device and identifies the second entity having the ownership of the device.

18. The non-transitory computer-readable medium of claim 17, wherein the operations further comprise: revoking the second entity as having the ownership of the device by removing a first part of the ownership voucher that identifies the second entity as having the ownership of the device to produce a second updated ownership voucher; and determining that the first entity has the ownership of the device in the second updated ownership voucher based on a second part of the second updated ownership voucher that identifies the first entity as formerly having had the ownership of the device.

19. The non-transitory computer-readable medium of claim 18, wherein the operations further comprise: determining to revoke the second entity as having the ownership of the device based on validating a message associated with the second entity that is indicative of revoking the second entity as having the ownership.

20. The non-transitory computer-readable medium of claim 17, wherein the operations further comprise: receiving a message associated with a third entity to revoke the second entity as having the ownership of the device; and determining not to revoke the second entity as having the ownership of the device based on determining that the third entity does not have the ownership of the device as represented by the second ownership voucher.